1 /*
2  * Copyright 2020, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 /******************************************************************************
17  *
18  *  The original Work has been changed by NXP.
19  *
20  *  Licensed under the Apache License, Version 2.0 (the "License");
21  *  you may not use this file except in compliance with the License.
22  *  You may obtain a copy of the License at
23  *
24  *  http://www.apache.org/licenses/LICENSE-2.0
25  *
26  *  Unless required by applicable law or agreed to in writing, software
27  *  distributed under the License is distributed on an "AS IS" BASIS,
28  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
29  *  See the License for the specific language governing permissions and
30  *  limitations under the License.
31  *
32  *  Copyright 2022-2023 NXP
33  *
34  ******************************************************************************/
35 #pragma once
36 
37 #include "CborConverter.h"
38 #include "JavacardSecureElement.h"
39 #include <aidl/android/hardware/security/keymint/BnKeyMintDevice.h>
40 #include <aidl/android/hardware/security/keymint/BnKeyMintOperation.h>
41 #include <aidl/android/hardware/security/keymint/HardwareAuthToken.h>
42 #include <aidl/android/hardware/security/sharedsecret/SharedSecretParameters.h>
43 
44 namespace aidl::android::hardware::security::keymint {
45 using cppbor::Item;
46 using ::keymint::javacard::CborConverter;
47 using ::keymint::javacard::JavacardSecureElement;
48 using ndk::ScopedAStatus;
49 using secureclock::TimeStampToken;
50 using std::optional;
51 using std::shared_ptr;
52 using std::vector;
53 
54 class JavacardKeyMintDevice : public BnKeyMintDevice {
55   public:
JavacardKeyMintDevice(shared_ptr<JavacardSecureElement> card)56     explicit JavacardKeyMintDevice(shared_ptr<JavacardSecureElement> card)
57         : securitylevel_(SecurityLevel::STRONGBOX), card_(std::move(card)),
58           isEarlyBootEventPending(true) {
59         card_->initializeJavacard();
60     }
~JavacardKeyMintDevice()61     virtual ~JavacardKeyMintDevice() {}
62 
63     // Methods from ::ndk::ICInterface follow.
64     binder_status_t dump(int fd, const char** args, uint32_t num_args) override;
65 
66     ScopedAStatus getHardwareInfo(KeyMintHardwareInfo* info) override;
67 
68     ScopedAStatus addRngEntropy(const vector<uint8_t>& data) override;
69 
70     ScopedAStatus generateKey(const vector<KeyParameter>& keyParams,
71                               const optional<AttestationKey>& attestationKey,
72                               KeyCreationResult* creationResult) override;
73 
74     ScopedAStatus importKey(const vector<KeyParameter>& keyParams, KeyFormat keyFormat,
75                             const vector<uint8_t>& keyData,
76                             const optional<AttestationKey>& attestationKey,
77                             KeyCreationResult* creationResult) override;
78 
79     ScopedAStatus importWrappedKey(const vector<uint8_t>& wrappedKeyData,
80                                    const vector<uint8_t>& wrappingKeyBlob,
81                                    const vector<uint8_t>& maskingKey,
82                                    const vector<KeyParameter>& unwrappingParams,
83                                    int64_t passwordSid, int64_t biometricSid,
84                                    KeyCreationResult* creationResult) override;
85 
86     ScopedAStatus upgradeKey(const vector<uint8_t>& keyBlobToUpgrade,
87                              const vector<KeyParameter>& upgradeParams,
88                              vector<uint8_t>* keyBlob) override;
89 
90     ScopedAStatus deleteKey(const vector<uint8_t>& keyBlob) override;
91     ScopedAStatus deleteAllKeys() override;
92     ScopedAStatus destroyAttestationIds() override;
93 
94     virtual ScopedAStatus begin(KeyPurpose in_purpose, const std::vector<uint8_t>& in_keyBlob,
95                                 const std::vector<KeyParameter>& in_params,
96                                 const std::optional<HardwareAuthToken>& in_authToken,
97                                 BeginResult* _aidl_return) override;
98 
99     ScopedAStatus deviceLocked(bool passwordOnly,
100                                const optional<TimeStampToken>& timestampToken) override;
101 
102     ScopedAStatus earlyBootEnded() override;
103 
104     ScopedAStatus getKeyCharacteristics(const std::vector<uint8_t>& in_keyBlob,
105                                         const std::vector<uint8_t>& in_appId,
106                                         const std::vector<uint8_t>& in_appData,
107                                         std::vector<KeyCharacteristics>* _aidl_return) override;
108 
109     ScopedAStatus convertStorageKeyToEphemeral(const std::vector<uint8_t>& storageKeyBlob,
110                                                std::vector<uint8_t>* ephemeralKeyBlob) override;
111 
112     ScopedAStatus getRootOfTrustChallenge(std::array<uint8_t, 16>* _aidl_return) override;
113 
114     ScopedAStatus getRootOfTrust(const std::array<uint8_t, 16>& in_challenge,
115                                   std::vector<uint8_t>* _aidl_return) override;
116 
117     ScopedAStatus sendRootOfTrust(const std::vector<uint8_t>& in_rootOfTrust) override;
118 
119   private:
120     keymaster_error_t parseWrappedKey(const vector<uint8_t>& wrappedKeyData,
121                                       std::vector<uint8_t>& iv, std::vector<uint8_t>& transitKey,
122                                       std::vector<uint8_t>& secureKey, std::vector<uint8_t>& tag,
123                                       vector<KeyParameter>& authList, KeyFormat& keyFormat,
124                                       std::vector<uint8_t>& wrappedKeyDescription);
125 
126     std::tuple<std::unique_ptr<Item>, keymaster_error_t> sendBeginImportWrappedKeyCmd(
127         const std::vector<uint8_t>& transitKey, const std::vector<uint8_t>& wrappingKeyBlob,
128         const std::vector<uint8_t>& maskingKey, const vector<KeyParameter>& unwrappingParams);
129 
130     std::tuple<std::unique_ptr<Item>, keymaster_error_t>
131     sendFinishImportWrappedKeyCmd(const vector<KeyParameter>& keyParams, KeyFormat keyFormat,
132                                   const std::vector<uint8_t>& secureKey,
133                                   const std::vector<uint8_t>& tag, const std::vector<uint8_t>& iv,
134                                   const std::vector<uint8_t>& wrappedKeyDescription,
135                                   int64_t passwordSid, int64_t biometricSid);
136 
137     ScopedAStatus defaultHwInfo(KeyMintHardwareInfo* info);
138 
139     void handleSendEarlyBootEndedEvent();
140 
141     const SecurityLevel securitylevel_;
142     const shared_ptr<JavacardSecureElement> card_;
143     CborConverter cbor_;
144     bool isEarlyBootEventPending;
145 };
146 
147 }  // namespace aidl::android::hardware::security::keymint
148